* Thus wrote Matthew Sims:
>
> I just signed up with a new hosting site. So first thing I did was check
> what phpinfo() had to say.
>
> I see that register_globals is turned on. Now I always use the $_GET and
> $_POST vars but will this still affect me?
As long as you dont use third party software you will be perfectly
fine. As Mr. Holmes pointed out, its all depends on how the code
was written, having register gobals off makes it more obvious of the
insesurity:
globals == on:
/script.php?loggedin=1
<?php
/* a major mistake when one uses
* session_register('loggedin');
* which forces any variable that is defined in
* global scope aka, _GET, _POST, SESSION...
*/
if ($loggedin) {
echo "Display confidential information";
}
?>
globals == off; secured
<?php
/* know exactly where the loggedin variable comes from */
$loggedin = $_SESSION['loggedin'];
if ($loggedin) {
echo "Display confidential information";
}
The major differnce between the two is that in the first example
the variable is never officially defined within the php code, and
where it actually is being set is rather undpredictable.
With the latter example, you are ensuring that the variable
$loggedin is from the session variable. But then now the quesion
arises, was that session variable set properly...
So in summary, register_globals=off ensures the script how the
variables are being accessed, but it doesn't mean they were set
properly in the first place.
HTH,
Curt
--
Quoth the Raven, "Nevermore."
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
